The National Institute of Standards and Technology (NIST) is requesting comments on the final public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP)800-53, Revision 4. The document, two years in the making, is the latest revision to a document that is considered the principal catalog of security safeguards and countermeasures that federal agencies use to protect their information and information systems.
This latest revision of Security and Privacy Controls adds new guidance for handling insider threats, supply chain risk, mobile and cloud computing technologies and other cybersecurity issues and challenges. Other areas addressed in the update include application security, firmware integrity, distributed systems, and advanced persistent threat. The revised SP 800-53 also contains a new appendix of privacy controls and related implementation guidance based on the internationally recognized Fair Information Practice Principles.*
"This is by far the most extensive update to our control catalog since it was first published in 2005," says Ron Ross, FISMA Implementation Project leader and NIST fellow. "We received and responded to several thousand comments from across the federal government, industry and academia during the initial public comment period and have greatly increased the cybersecurity toolset for our customers as a result."
NIST also modified its guidance on security assurance, which outlines how agencies establish confidence measures to ensure that the security controls put in place are effective in protecting critical missions and business operations. The new assurance controls can also help developers of information systems, IT component products and services to increase the degree of trustworthiness in those entities—especially when deployed in critical infrastructure applications. "This supports our strategy of 'Build It Right, Then Continuously Monitor,'" Ross adds.
NIST addressed potential gaps in threat coverage, added new security controls and control enhancements, clarified security control language, provided new mapping tables to international security standards and provided more user-friendly naming conventions for controls and control enhancements. A new concept of "overlays" was also introduced in the updated publication to allow agencies to specialize their security plans for specific missions or business applications, particular operating environments, and for specific technologies.
This revision was conducted as part of the Joint Task Force Transformation Initiative, comprising security experts from NIST, the Department of Defense, the Intelligence Community and the Committee on National Security Systems.
The public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication 800-53, Revision 4 may be found at http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800_53_r4_draft_fpd.pdf. Comments on SP 800-53, Revision 4 should be sent by March 1, 2013, to firstname.lastname@example.org.
*Fair Information Practice Principles can be found at www.ftc.gov/reports/privacy3/fairinfo.shtm